APPENDIX 2 



/** 

* IPS multithreaded error (rule) processing engine 

* ©file errorj3rocessor.h 

* ©author jmccaskey 
*/ 

#ifndef ERROR_PROCESSOR_H 
#define ERROR_,PROCESSOR_H 

/** 

* Function to process an error node as generated by the rule code. 

* This function should be called as a thread. It is responsible for 

* deciding whether or not an error log entry should be created. 

* creating it if so. and updating the escalation level for rule_monitor table 

* entries. 
*/ 

void error_processor(); 
#include "error jDrocessor.c" 



#endif 



\ 



r 

* IPS multithreaded event processing engine 

* Contains functions responsible for error Jog inserts 

* and rule_monitor table updates. 

* @file error_processor.c 

* ©author jmccaskey 
*/ 

/** 

* Function to process an error node as generated by the rule code. 

* This function should be called as a thread. It is responsible for 

* deciding whether or not an error log entry should be created. 

* creating it if so, and updating the escalation level for rule_monitor table 

* entries. 
V 

void error_processor() { 

MYSQL mysqLconnection; 
MYSQL_RES Result; 
MYSQL_ROW row; 
char *sqLquery; 
int n; 

int send_notification = 1 ; 

mysql_threadjnit(); 
//try the mysql connection 
my sq IJ n it( & mysq l_co n nection ) ; 

if(!mysql_reaLconnect(&mysqLconnection, db_host, db_user. db_pass, db_db, 0, NULL. 0)) { 
flockfile{stderr); 

fprintf(stderr, "%s: Failed to connect to database: Error: %s\n", timestamp. 
mysqLerror(&mysql_connection)); 
funlockfile(stderr); 
pthread_exit(NULL); 

} 

//try to select the database 

if(mysql_select_db(&mysqLconnection, db_db)!=0) { 
flockfile(stderr); 

fprintf(stderr, "%s: Failed to select database: Error: %s\n". timestamp. 
mysqLerror(&mysql_connection)); 
funlockfile(stderr); 
pthread_exit(NULL); 

} 

//infinite loop to be exited within when polling is done and nothing is left in the queue 

error_node *ermode; 

while(1){ 

//default back to not sending a notification each loop 
send_notification = 1; 

pthread_mutexJock(&error_work_queue.mutex); 
while(error_work__queue.c_queue.head==NULL) { 
pthread_mutexJock(&polling_done_mutex); 
if(polling_done==1){ 

pthread_mutex_unlock(&polling__done_mutex); 

pthread_mutex_unlock(&error_work_queue.mutex); 

//we are finished with everything in the queue and nothing more is 



coming... time to die 

mysql_close(&mysql_connection); 
mysql_threacl_end(); 
pthread_exit(NULL); 
} else { 

pthread_mutex_unlock(&polling_done_mutex); 

//more errors may be coming... wait for them... 
pthread_cond_wait(&error_work_queue.cond. 
&error_work__queue.mutex); //now unlocked... reaquired after we pass 
} 

} 



#ifdef DEBUG 



#endif 



%d 



errnode = (error_node *) queue_get(&error__work_queue.c_queue); 
pthread_mutex_unlock(&error_work_queue.mutex); 

flockfile(stdout); 

fprintf(stdout "%s\n", ermode->message); 
funlockfile(stdout); 



assert(sql_query = malloc(800)); 
n=snprintf(sql_query, 800. "SELECT current^escalation FROM rule_monitor WHERE rulejd ■ 



"AND rule_serverjd = %d AND monitor Jd = %d AND monitor_serverJd = %d", 
errnode->ruleJd. errnode->rule_serverJd. errnode->monitorJd, errnode- 
>monitor_serverJd); 

//execute query for devices 

if(mysqLreal_query(&mysql_connection, sql_query. n)!=0) { 
flockfile(stderr); 

fprintf{stderr, "%s: Failed while attempting to select old escalation level: Error: %s\n". 
timestamp, mysql_error(&mysqLconnection)); 
funlockfile(stderr); 
free(sql_query); 
} else { 

free(sqLquery); 

} 

//store results from last query into result 
result=mysqLstore_result(&mysqLconnection); 

int escalation = 0; 
row=mysql_fetch_row(result); 
if(row==NULL) { 
flockfile(stderr); 

fprintf(stderr. "%s: Couldn't fetch old escalation, asuming it was zero for this 
single rule...\n", timestamp); 

funlockfile(stderr); 
mysqLfree_result(result); 
} else { 

escalation = atoi(row[0]); 

} 

//now we have the row... 
if(ermode->failed == 0) { 
if(escalation > 0) { 

assert(sqLquery = malloc(800)); 



n=snprintf(sqLquery. 800, "UPDATE mle_monitor SET 
current^escalation = 0 WHERE rulejd = %6 " 

"AND ru!e_serverjd = %d AND monitorjd = %d AND 

monitor_serverJd = %d", 

errnode->ruleJd. errnode->rule_serverJd, errnode- 

>monitorJd, errnode->monitor_serverJd); 

if(mysql_reaLquery(&mysql_connection. sql_query, n)!=0) { 
flockfile(stderr); 

fprintf(stderr, "%s: Failed while attempting to reset escalation: Error: %s\n". 
timestamp, nnysqLerror{&mysqLconnection)); 

funlockfile(stderr); 

} 

free(sqLquery); 
} else { 

//this is an ok. and the rule was already ok last period, so don't do 

anything with it 

send_notification = 0; 

} 

} else if(errnode'>failed == 1) { 

assert(sqLquery = malloc(800)); 

n=snprintf(sqLquery. 800. "UPDATE rule_monitor SET current_escalation = %d 

WHERE rulejd = %d " 

"AND rule_serverjd = %d AND monitorjd = %d AND monitor_serverjd = 

%d". escalation+5, 

ermode->ruleJd, errnode->rule_serverJd. errnode- 

>monitorJd, errnode->monitor_serverjd); 
#ifdef DEBUG 

flockfile(stdout); 

fprintf(stdout. "%s\n". sqLquery); 
funlockfile(stdout); 

#endif 

escalation += 5; 

if(mysqLreal_query(&mysql_connection, sqLquery. n)!=0) { 
flockfile(stderr); 

fprintf(stderr, "%s: Failed while attempting to increase escalation: Error: %s\n". 
timestamp, mysqLerror{&mysqLconnection)); 

funlockfile(stderr); 

} 

free(sql_query); 
} 

if(send_notification == 1 ) { 
char verdict[6]; 
if(errnode->failed == 1) 

strcpy(verdict, "ERROR"); 

else 

strcpy(verdict, "OK"); 

assert(sqLquery = malloc(IOOO)); 
n=snprintf(sqLquery, 1000, "INSERT INTO error Jog " 

"(error Jog_serverJd, rulejd. rule_serverjd. monitorjd. 

monitor_serverJd, " 

"msg, timestamp. verdict, escalation, notified) " 
•VALUES (%d. %d. %d. %d. %d. '%s'. '%s'. '%s\ %d. 0)", 
serverjd, errnode->ruleJd. ermode->rule_serverJd, errnode- 
>monitorJd, ermode->monitor_serverJd, 

en'node->message. timestamp. verdict, escalation); 



#ifdef DEBUG 

flockfile(stdout); 

fprintf(stdout, "%s\n", sqLquery); 
funlockfile(stdout); 

#endif 

if(mysqLreaLquery(&mysqLconnection. sqLquery, n)!=0) { 
flockfile{stderr); 

fprintf(stderr, "%s: Failed while attempting to insert into errorjog: Error: %s\n", 
timestamp. mysql_error(&mysqLconnection)); 

funlockfiie(stderr); 

} 

free(sqLquery); 
} 

nfiysql_free_result( result); 
free(errnode); 

} 

} 



